Category: Public Key Infrastructure

Jan 06 2013

Powershell: Monitor the trusted root certification authorities store, Event Schannel ID 36885-36887

The root update package KB931125, when applied might break the authentication process on servers using certificate based authentication: This problem was reported for LDAP over SSL authentication on a Domain Controller, IIS authentication on a webserver and IAS authentication on a Radius server (called Network Policy Server under Windows 2008). The symptoms, patch and workarounds of this issue are explained in this KB. The patch is only available under Windows 2003 and the root update package (KB931125) cannot be uninstalled via WSUS once applied.
Read more »

Aug 22 2012

Windows server 2012: PFX Certificates and SNI feature under IIS 8.0

Unless you’ve been living underground for the last few weeks, you should have already heard that Windows server 2012 RTM is available :-).  Last time I blogged about this operating system it was still named Windows server 8 Developer Preview. I will describe in this post how IIS 8 supports multiple SSL website certificates on a single IP and port, this feature is called Server Name Indication (SNI), and supported under Apache since version 2.2.12… I will also talk about the new features provided in Windows server 2012 for exporting/importing certificates in the PFX file format, in order to deploy certificates on a Webserver farm.
Read more »

Jan 26 2012

Windows 8: Install and configure ADCS

We will describe in this post how to install ADCS on Windows 8 Developer Preview, and how to configure your PKI with Powershell.

Firstly we will install the ADCS role with Server Manager:


Read more »

Dec 19 2011

OWA published with a TMG array member of a domain located in the DMZ

We will describe in this post how to set up Threat Management Gateway in a domain located in the perimeter network (DMZ) in order to publish your Outlook Web Access external URL and ensure a secure SSL connection. The OWA site is installed on the CAS servers of your Exchange infrastructure. The internal URL, registered in your private DNS, is being accessed by the computers in your internal network which are members of your domain. The external URL, registered in your public DNS, is being accessed by any computer connected to the internet, which obviously is not necessarily a member of your domain. To get both internal and external URL launch the following command on the Exchange Management Shell:

Get-OwaVirtualDirectory | ft server,InternalURL,externalURL

Read more »

Sep 08 2011

Sign an Excel macro with a certificate issued by your enterprise PKI

This article describes how to digitally sign an Excel VBA project with a certificate issued by your ADCS PKI. You can use the same method to sign any Office VBA project but in this post we will focus on Excel. For an introduction on how to sign Office macros you can read these KB and MSDN articles.
Read more »

Apr 29 2011

Powershell: Enterprise CA, Create SAN certificates for IIS7 servers

We will show in this post how to create a SAN certificate for IIS 7 using an Enterprise PKI. This kind of certificate permits you to host multiple SSL sites on a single server. To achieve this with a powershell script we will use the PSRemoting and the IIS CmdLets.

We launch the script from the server where we administrate the PKI with ADCS RSAT. We will use PSRemoting for many things: Before sending the certificate request to the Certificate Authority in order to create the CSR on the IIS server. Once the certificate is issued we will retrieve it and install it to the IIS 7 server certificate store. Finally we will configure IIS 7 to use this certificate on the default web site.
Read more »

Sep 06 2010

Domain Controller certificates: Kerberos Authentication template

When you install Windows 2008 Certification Authority a new domain controller certificate template named Kerberos Authentication is available. It replaces the Domain Controller Authentication template. If you need more information about the new certificate templates shipped with a Windows 2008 CA you can read this article.

Here is a tab that outlines the specific attributes of the Domain Controller Authentication and Kerberos Authentication templates:

  Domain Controller Authentication Kerberos Authentication
Key Usage Client Authentication

Server Authentication

Smart Card Logon

Client Authentication

Server Authentication

Smart Card Logon

KDC Authentication.

Subject Alternate Name DNS Name : Domain Controller FQDN. DNS Name : Domain FQDN.

DNS Name : Domain NetBios name.

Read more »

WordPress Themes

Blossom Icon Set

Software Top Blogs